If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Lloyds TSB tests password-generators

I am very interested in how banks protect their customers who use online banking, so it was good to stumble across this article, plus they are my bank and I use their online service.

By OUT-LAW.com 18 Oct 2005 08:47

Lloyds TSB tests password-generators

Begone, Phishing!

Around 30,000 customers of Lloyds TSB are being issued with a password-generating device that will add an extra layer of security when they do their online banking. But while it makes customers less vulnerable to internet fraud, the bank says its device is "not the end solution".

Person using the Access Code Device at the Lloyds TSB website.The Access Code Device generates a unique, one time only, six digit number that customers enter when they log on to the banking site.

The trial of the key ring-sized Access Code Device is the largest of its kind in the UK. Similar devices are already in use in corporate environments and AOL offers them to its US consumers for a small fee. Some banks in the Netherlands and Sweden have been using two-factor authentication for several years.

OUT-LAW spoke to Jason Bacon, Lloyds TSB's head of new business and customer development for internet banking, about the bank's latest move to combat phishing and other forms of internet fraud.

Customers taking part in the trial will log on to Lloyds TSB internet banking as normal using their user ID and password, but instead of entering their memorable information they will be asked to press the button on the Access Code Device to generate a unique code.

The customer then types in this code, which the bank verifies. Customers taking part in the trial will also be asked to use the Access Code Device to generate a new code to authorise some online transactions such as bill payments instead of their normal password.

If the code is intercepted, perhaps by someone running a website that purports to be Lloyds TSB's, the attacker has only 30 seconds to access the user's real account before the code becomes invalid. If the criminal gets this far and attempts a money transfer, the request for a second code should foil all but the most sophisticated attacks.

Bacon said the trial participants have been selected at random and represent a large cross-section of the bank's online customers. They will not pay to participate in the trial and Bacon did not disclose the costs to the bank of supplying the devices, although he pointed out that their costs are being driven down by competition and economies of scale.

He acknowledged that the devices are not without their drawbacks. An obvious one is that if they become ubiquitous for online authentication, customers with several internet accounts could face the inconvenience of carrying several devices.

Another drawback is accessibility: the devices do not work for visually impaired users. However, Bacon said that the manufacturers are working on a version that comes with a loudspeaker. If the Access Code Device is ever rolled out as a firm-wide solution, it will be compliant with the Disability Discrimination Act, he said.

But it may never be rolled-out firm-wide. "Partly we want to see how customers react to two-factor authentication," he said of the trial. "Two factor authentication is inevitable – it's just a question of what and when." Running the trial gives Lloyds TSB valuable feedback on how its customers will react to added layers of security.

The move to two-factor authentication is consistent with guidance published in July by US banking industry watchdog the Federal Deposit Insurance Corporation (FDIC) which said banks should look at implementing multi-factor authentication methods. In the UK, the Association of Payment And Clearing Services (APACS) has also encouraged banks to move in this direction.

Bacon indicated that a longer-term security solution for online banking could be card readers. Chip and PIN has been rolled out in the UK as a means of reducing point of sale card fraud. The readers are found in shops but not in cardholders' homes – so they offer no protection against card-not-present (CNP) fraud.

According to Bacon, it's feasible that this will change to a card and card-reader solution, allowing consumers to use new chip and PIN credit and debit cards for secure CNP transactions and internet banking. Lloyds TSB will be monitoring these developments closely.

APACS has developed a standard for card-readers that is in "a very mature draft form," according to Richard Martin who facilitates APACS' e-banking fraud liaison group. The standard addresses details of cryptography and, for example, the buttons that will feature on the readers. Vendors are working on devices that will adhere to the standard and banks will be able to buy these for deployment to customers. Some vendors are working on readers that will be accessible to disabled users, according to Martin.

"We don't think anything is the end solution," said Bacon of the different anti-fraud solutions available and under development. "It's all part of a journey."

Of course, the journey changes direction when criminals find new means of attack – Trojans are on the increase, he says – but the bank offers one online banking guarantee that applies to all forms of attack.

The guarantee states: "We protect you against fraud on Lloyds TSB Internet banking. We use industry-standard levels of security. Of course, you must be careful, for example, take reasonable steps to keep your security information secret at all times. If you do, we will refund your money in the unlikely event of fraud."

We asked Bacon whether customers who fall for obvious phishing scams – those with email lures written in terrible English – are considered not to be taking "reasonable steps" to keep their security information secret. Bacon replied that "a very small number" of Lloyds TSB customers have been victims of phishing and added that refunds "will be considered on a case-by-case basis."

He said that the bank has a policy of educating its customers which is perhaps why few of them fall for phishing scams. He said the bank does not differentiate between the quality of scams. "We don't say 'you should have spotted that one as a scam' and only forgive those who fall for high quality phishing attacks."

As for the new card readers, Bacon said: "We think that it's a sensible cross-bank solution that will be there eventually."

The bank still stresses the need for customers to protect themselves by keeping their account details private. In addition to its online guarantee it is offering customers a free PC security scan to identify spyware; a 20% discount on firewall software from Zone Labs; and a security learning centre at lloydstsb.com, providing customers with hints and tips on what internet scams look like, how to protect their PCs and what to do if they think they might have been the victim of fraud.

I saw that on TV up here the other night. I remember starting using a similar device for "secure tunneling" about 6 years ago. I think the supplier was RSA?

It seemed to work very well. Only problems I ever saw was when the battery started to run down and the device's clock fell outside the time window of the verification system.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

A lot of governement agencies use this same kind of authentication when establishing VPN tunnels to work remotely. I wonder though, as practical as this may be, how many people will want to carry a token around on themselves all the time. From what I have experienced, if you lose them or they break (I SWEAR my bird ate it), they generally aren't cheap to replace. But who can argue that banks adding layered security isn't all for the better?

We use securID cards at work and they work great. These are the token cards made by RSA. There are two types of cards, one of them looks like a credit card and can be carried in your wallet or purse, and the other is about the size of a key. So you can put it on your keyring. I don't carry mine everywhere I go, I keep it at my house which is where I do most of work. If I'm travelling I put it into my laptop bag. I don't save my pin in my VPN software so even if somebody gets my user ID, token, and computer, they still can't login as me.

Doing online banking on somebody elses machine/network is a major no-no, so I don't see why people would need to carry their token with them at all..

As for battery life. I've had my current token for the last three years. I think I'll automatically get a new one here in the next 6 months. Which is well before the 5 or 6 year life span I have seen in the literature for this type of device. The battery life has improved greatly. The devices are also really cheap now. I think we payed 5 or 10$ a piece for them in bulk several years ago. It could be cheaper as I haven't been involved with the implementation of the devices for awhile now.

They do sometimes get out of sync with the master server but that is easily corrected. We use a voice authentication system that authenticates the user, and then you enter two back to back six digit codes generated by the token. The token and the authentication server are then back in sync. I've had to do this once or twice in the 7 years we've been using tokens for VPN authentication.

I tend to believe that the cost for the securID token covers the server, server licenses, and tokens. Where in my post I was specifically talking about the token only. I know we didn't pay 69.50$ for each token, but the cost of support and everything could have easily been in that range.